Delving into the java encryption and hashing world I see examples of the constructor for the PBEKeySpec
class with various values for the iterationCount
and the keyLength
parameters. Nothing seems to explain what these parameters impact or mean.
I am assuming that keyLength
is how long the key is so 32 bit encryption would take a value of 32 for the key length, but that assumption feels wrong. My guess for the iterationCount
is the number of times each char is encrypted, again not feeling the love on that assumption either.
Links to info or an explanation are appreciated.
The iteration count is the number of times that the password is hashed during the derivation of the symmetric key. The higher number, the more difficult it is to validate a password guess and then derive the correct key. It is used together with the salt which is used to prevent against attacks using rainbow tables. The iteration count should be as high as possible, without slowing your own system down too much. A more generic term for iteration count is work factor.
The key length is the length in bits of the derived symmetric key. A DESede key can be either 128 or 192 bits long, including parity bits. An AES key can be 128, 192 or 256 bits long. The problem is that it is not specified by the API which key length (bits / bytes, with- or without parity) is meant; for PBEKeySpec
the key size is bits, including the parity bits as shown in this section.
The key derivation function normally just outputs "enough" random bits, so that's why you can still specify the required key size.
Notes:
new SecureRandom()
and then nextBytes(int amount)
). The salt can be public and stored with the ciphertext or password hash.